Latest in Gear

Image credit: Engadget

Attackers can use video subtitles to hijack your devices

Only some media player apps have fixes for the security exploit.
805 Shares
Share
Tweet
Share

Sponsored Links

Engadget

Be careful before you fire up media player software to play that foreign-language movie -- it might be a way for intruders to compromise your system. Check Point researchers have discovered an exploit that uses maliciously crafted subtitles to take control of your device, whether it's a PC, phone or smart TV. It's not picky about the program, either -- the researchers demonstrated the flaw in Kodi, PopcornTime, Stremio and VLC. The technique isn't particularly complicated, and relies on a tendency by developers to assume that subtitles are little more than innocuous text files.

As many media player apps download subtitles from repositories they explicitly trust, all it takes is an attacker who sneaks a malicious file into the repository in such a way that you're likely to download it. An intruder can manipulate a ratings-based subtitle system to push their file to the top, for instance. Combine that with the complexity of the subtitle world (there are over 25 formats, and each media player handles them differently) and you get a plethora of security holes.

The good news: in some cases, it's fixed. PopcornTime, Stremio and VLC all have updated versions (you can find them in the source link below). However, it's not guaranteed that your client of choice has a patch ready and waiting. Kodi only has a source code fix available as of this writing. If you're using another media player with subtitle support, you may want to be careful about using it until you know that the programmers have addressed this exploit.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
805 Shares
Share
Tweet
Share

Popular on Engadget

Google Home update leaves some speakers unusable

Google Home update leaves some speakers unusable

View
BYU researchers extend WiFi range by 200 feet with a software upgrade

BYU researchers extend WiFi range by 200 feet with a software upgrade

View
Apple TV+ adaptation of 'Foundation' will star Jared Harris and Lee Pace

Apple TV+ adaptation of 'Foundation' will star Jared Harris and Lee Pace

View
Google wants to be your guide to Champions League soccer

Google wants to be your guide to Champions League soccer

View
Scoot makes its new single-seat mopeds available in Los Angeles

Scoot makes its new single-seat mopeds available in Los Angeles

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr